Archive for February, 2017

HIPAA is complex legislation. Most people, as well as institutions, don’t have a good grasp on HIPAA. As a result there is a great deal of misinformation out there. In my experiences within the healthcare space, many hospitals don’t even a good handle on HIPAA.

HIPAA’s scope extends well beyond data protection. It includes personnel who must be trained for HIPAA, logging and reporting of privacy violations, and even patients rights in attaining their own healthcare information. Most of the time the focus is on protected healthcare information (PHI) when HIPAA is discussed.

Who does HIPAA apply to? It applies to “covered entities”. A covered entity is a provider of healthcare services that stores healthcare information about its customer (ie. patients). More specifically, HIPAA was devised to cover transactions between healthcare providers and payers (insurers). One could interpolate this to mean that HIPAA applies to reimbursable tests.

Hospitals interact with many other businesses that may have access to patient information (or protected health information, PHI). These may be labs, medical devices companies, etc. These businesses become “business associates” of the covered entity and HIPAA extends to them as well. Becoming a business associate is a legal process of signing a business associate agreement (BAA) with a covered entity.

HIPAA does not apply to software or apps storing information on behalf of end users. In fact, this was Google’s position when Google Health was in existence. It is the stance of all personal healthcare records (PHR), such as Microsoft Health Vault.

HIPAA does not apply to non-medical information, such as fitness data. Making the determination as to what is medical information can be blurry at times. Remember, HIPAA was developed to cover reimbursable tests. That may be a good litmus testing for categorizing information as medical. Is the number of steps you took last week medical information? No.

Even though HIPAA does not apply to many situations, it doesn’t mean privacy should be ignored. All apps should be designed with data protection included as a primary goal. Developers should be aware of
common security flaws and follow best practices for data protection. Apps should contain terms of use and privacy policies.